formbook | 9d9e7bb9c7faa619e5f7c2a88d220812495a078c8a9cdf465765300a9abae4be

General

Target

FLY.exe
Size

575KB
MD5

d400c125c91f0da96b71a1335d5c7e9e
SHA1

c5cadd640c60cc5ae5377fa8726c15f38808a131
SHA256

6aeb335b3a8c4506ba69d98007266a0210930cddabc6d3fe6b6c0a28e59ae7db
SHA512

8d77dc100e939fd72e3036307883584af47c35298e049fbc3c92cfb94c4a782180ff0a5c5148d72e4f2e39d6208c9237f65b1f6488e5bfa31cca5c30c0ffbf2f
SSDEEP

12288:nE+RIimQdL6iHOHpF2hJwy+atu6KVC94MVK4ENzZK:nE+evGOHpKavI4YEN

Score

10^/10

formbook cc73 rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

cc73

Decoy

viptop77.biz

sell-home-fast-for-cash.xyz

wjbwebsite.top

ceramic.house

anthologymotors.com

acctwiseconsulting.com

xn--bj4blri6mqqan64b.com

roguester.com

blavkimped.com

mostbet-wih8.xyz

biellacapital.com

jasonmoorehead.online

wolrdtenis.com

huahuiblog.com

jonniprince.com

gohanyo.com

l4-j2.pro

coinyeard.com

fh8019.com

iltorlonia.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 4 IoCs

rat

resource	yara_rule
behavioral1/memory/2432-11-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/2432-15-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/2684-21-0x00000000000C0000-0x00000000000EF000-memory.dmp	formbook
behavioral1/memory/2684-23-0x00000000000C0000-0x00000000000EF000-memory.dmp	formbook

Deletes itself 1 IoCs

pid	Process
2676	cmd.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 2304 set thread context of 2432	2304	FLY.exe	29
PID 2432 set thread context of 1220	2432	FLY.exe	22
PID 2684 set thread context of 1220	2684	colorcpl.exe	22

Suspicious behavior: EnumeratesProcesses 28 IoCs

pid	Process
2304	FLY.exe
2432	FLY.exe
2432	FLY.exe
2684	colorcpl.exe
2684	colorcpl.exe
2684	colorcpl.exe
2684	colorcpl.exe
2684	colorcpl.exe
2684	colorcpl.exe
2684	colorcpl.exe
2684	colorcpl.exe
2684	colorcpl.exe
2684	colorcpl.exe
2684	colorcpl.exe
2684	colorcpl.exe
2684	colorcpl.exe
2684	colorcpl.exe
2684	colorcpl.exe
2684	colorcpl.exe
2684	colorcpl.exe
2684	colorcpl.exe
2684	colorcpl.exe
2684	colorcpl.exe
2684	colorcpl.exe
2684	colorcpl.exe
2684	colorcpl.exe
2684	colorcpl.exe
2684	colorcpl.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1220	Explorer.EXE

Suspicious behavior: MapViewOfSection 5 IoCs

pid	Process
2432	FLY.exe
2432	FLY.exe
2432	FLY.exe
2684	colorcpl.exe
2684	colorcpl.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2304	FLY.exe
Token: SeDebugPrivilege	2432	FLY.exe
Token: SeDebugPrivilege	2684	colorcpl.exe

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 2304 wrote to memory of 1576	2304	FLY.exe	28
PID 2304 wrote to memory of 1576	2304	FLY.exe	28
PID 2304 wrote to memory of 1576	2304	FLY.exe	28
PID 2304 wrote to memory of 1576	2304	FLY.exe	28
PID 2304 wrote to memory of 2432	2304	FLY.exe	29
PID 2304 wrote to memory of 2432	2304	FLY.exe	29
PID 2304 wrote to memory of 2432	2304	FLY.exe	29
PID 2304 wrote to memory of 2432	2304	FLY.exe	29
PID 2304 wrote to memory of 2432	2304	FLY.exe	29
PID 2304 wrote to memory of 2432	2304	FLY.exe	29
PID 2304 wrote to memory of 2432	2304	FLY.exe	29
PID 1220 wrote to memory of 2684	1220	Explorer.EXE	30
PID 1220 wrote to memory of 2684	1220	Explorer.EXE	30
PID 1220 wrote to memory of 2684	1220	Explorer.EXE	30
PID 1220 wrote to memory of 2684	1220	Explorer.EXE	30
PID 2684 wrote to memory of 2676	2684	colorcpl.exe	31
PID 2684 wrote to memory of 2676	2684	colorcpl.exe	31
PID 2684 wrote to memory of 2676	2684	colorcpl.exe	31
PID 2684 wrote to memory of 2676	2684	colorcpl.exe	31

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:1220
- C:\Users\Admin\AppData\Local\Temp\FLY.exe
  "C:\Users\Admin\AppData\Local\Temp\FLY.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2304
- - C:\Users\Admin\AppData\Local\Temp\FLY.exe
    "C:\Users\Admin\AppData\Local\Temp\FLY.exe"
    3⤵
    PID:1576
- - C:\Users\Admin\AppData\Local\Temp\FLY.exe
    "C:\Users\Admin\AppData\Local\Temp\FLY.exe"
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of AdjustPrivilegeToken
    PID:2432
- C:\Windows\SysWOW64\colorcpl.exe
  "C:\Windows\SysWOW64\colorcpl.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2684
- - C:\Windows\SysWOW64\cmd.exe
    /c del "C:\Users\Admin\AppData\Local\Temp\FLY.exe"
    3⤵
    - Deletes itself
    PID:2676

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1220-28-0x0000000004A40000-0x0000000004B3A000-memory.dmp

Filesize
1000KB

Download
memory/1220-31-0x000007FEF6270000-0x000007FEF63B3000-memory.dmp

Filesize
1.3MB

Download
memory/1220-26-0x0000000006CE0000-0x0000000006D9F000-memory.dmp

Filesize
764KB

Download
memory/1220-17-0x0000000000010000-0x0000000000020000-memory.dmp

Filesize
64KB

Download
memory/1220-27-0x0000000006CE0000-0x0000000006D9F000-memory.dmp

Filesize
764KB

Download
memory/1220-18-0x0000000004A40000-0x0000000004B3A000-memory.dmp

Filesize
1000KB

Download
memory/1220-33-0x0000000006CE0000-0x0000000006D9F000-memory.dmp

Filesize
764KB

Download
memory/1220-32-0x000007FF194E0000-0x000007FF194EA000-memory.dmp

Filesize
40KB

Download
memory/2304-0-0x0000000000A40000-0x0000000000AD6000-memory.dmp

Filesize
600KB

Download
memory/2304-1-0x0000000074DD0000-0x00000000754BE000-memory.dmp

Filesize
6.9MB

Download
memory/2304-6-0x0000000004F90000-0x0000000004FFE000-memory.dmp

Filesize
440KB

Download
memory/2304-12-0x0000000074DD0000-0x00000000754BE000-memory.dmp

Filesize
6.9MB

Download
memory/2304-5-0x0000000000440000-0x000000000044A000-memory.dmp

Filesize
40KB

Download
memory/2304-4-0x0000000000210000-0x0000000000216000-memory.dmp

Filesize
24KB

Download
memory/2304-3-0x0000000000320000-0x0000000000338000-memory.dmp

Filesize
96KB

Download
memory/2304-2-0x0000000004E30000-0x0000000004E70000-memory.dmp

Filesize
256KB

Download
memory/2432-7-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2432-16-0x0000000000110000-0x0000000000125000-memory.dmp

Filesize
84KB

Download
memory/2432-15-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2432-13-0x0000000000AE0000-0x0000000000DE3000-memory.dmp

Filesize
3.0MB

Download
memory/2432-11-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2432-9-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2432-8-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2684-19-0x0000000000D10000-0x0000000000D28000-memory.dmp

Filesize
96KB

Download
memory/2684-20-0x0000000000D10000-0x0000000000D28000-memory.dmp

Filesize
96KB

Download
memory/2684-21-0x00000000000C0000-0x00000000000EF000-memory.dmp

Filesize
188KB

Download
memory/2684-22-0x0000000002130000-0x0000000002433000-memory.dmp

Filesize
3.0MB

Download
memory/2684-23-0x00000000000C0000-0x00000000000EF000-memory.dmp

Filesize
188KB

Download
memory/2684-24-0x0000000000950000-0x00000000009E4000-memory.dmp

Filesize
592KB

Download

Analysis

Sharing